Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
-
Upload
kmxybionbionb -
Category
Technology
-
view
262 -
download
1
description
Transcript of Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
www.xybion.com
Spreadsheet ValidationRumors, Reality,
& RisksLive Webinar
www.xybion.com
Xybion Corporation Fast Facts
Founded in 1977Privately Held, NMSDC Certified MBE
R&D SolutionsGRC/BPM SolutionsEnterprise Asset and Content Management Services & Solutions
NJ and PA Locations in USQuebec City, CanadaGermanyIndia
Innovative Development & Testing COE In IndiaDelivers Quality Testing & Development ServicesInternal Product Development & Support
Lowering Total Cost of OwnershipDelivering Enterprise Products, Services, and Solutions That Power Innovation & Efficiency
Corporate
Our Products
Global Locations
Our Global Services
Value Proposition
www.xybion.com
Xybion Offers Comprehensive Industry Solutions for major Enterprise Processes under one roof, lower Total Cost Of Ownerships through validated software and services implemented through a global hybrid resource model based in US. Canada and India.
GRC
Total Preclinical
Quality Management
ECM Migration & Consolidation
ECM Synchronization
CAPAAudit Mgt
Incident Mgt
Change Control
NCDoc Mgt
Automated Migration
Bulk Consolidation
Metadata Consolidation & Transformations
Repository Synchronization & Replication
Vivarium Management and Veterinary Care
Research & Safety Study Management
Internal Controls
IT Governance
Risk Mgt
LMS PMO
Complaint Mgt
EAM EAM SoftwareEAM Professional
ServicesEAM Custom Development
Validation & Verification Services
Validation & Testing
Software Testing Services
www.xybion.com
About the speaker
Harry Huss has over 25 years of experience in the pharmaceutical industry. He is currently Executive Director, Brandywine Compliance Consulting, LLC, and has held positions as Senior Director Compliance Policy & Program Support Services, Charles River Laboratories, Inc., Associate Director of Computer Validation Quality Assurance, Merck & Company, Inc., and Regulatory Compliance Manager, SmithKline Beecham, Inc. Harry has a M.S. degree in Clinical Microbiology from Thomas Jefferson University, and B.S. degrees in Biology and Medical Technology from Millersville University and Bryn Mawr respectively. He has provided a wide variety of computer validation and Part 11 presentations at professional meetings, provided computer validation training for the FDA, authored the Master Validation Plan for FDA’s National Center for Toxicological Research (NCTR), and published numerous scientific and regulatory compliance articles. Harry is a member of the Drug Information Association Validation Core Committee as well as an original and current member of the Society of Quality Assurance Computer Validation Initiatives Committee (CVIC).
www.xybion.com
Agenda
• Introduction• Rumors• Realities• Risks • Summary• Questions & Discussion
www.xybion.com
Spreadsheet Validation: 3 “R’s”
Rumors Reality
Risks
www.xybion.com
Rumors
www.xybion.com
Rumor #1
• The FDA has indicated that commercially available spreadsheets cannot be adequately validated, and therefore should not be used to support regulated activities.
• The FDA has not indicated that spreadsheets, or any other category of computerized systems, should be excluded from supporting regulated activities.
www.xybion.com
Rumor #2
• The FDA has indicated that due to the widespread use of commercial spreadsheets these applications are deemed to be accurate and reliable, and therefore do not require any further validation by the end user.• The FDA has not exempted spreadsheets, or
any other category of computerized system, from compliance with applicable regulations, when these systems are used to support regulated activities.
www.xybion.com
Rumor #3
• The FDA has indicated that an end user of spreadsheet systems can employ the “calculator rule” to avoid validation, conducting verification of spreadsheet arithmetic calculations using a handheld calculator.
www.xybion.com
Rumor #3 (cont.)
• The FDA does not have a “calculator rule”, exempting spreadsheet validation compliance requirements.
• A handheld calculator could be used as part of the spreadsheet validation process, to verify the accuracy of spreadsheet calculations
• Required validation controls and testing are broader than only arithmetic accuracy.• system security, audit trail function, data input/output,
e-records and e-archival criteria, administrative controls, configuration management controls, etc.
www.xybion.com
Rumor #4
• The FDA has indicated that a company can avoid validation of spreadsheet systems by documenting a risk assessment which states that due to the widespread use of spreadsheet systems, the risk to regulated data created by, or entered into, these spreadsheets is low, and therefore validation of current and future uses of spreadsheet systems will not be required.
www.xybion.com
Rumor #4 (cont.)• FDA has stated repeatedly that risk assessment
is not an alternative to compliance.• FDA has indicated that computerized systems
must be validated for their intended use.• Risk assessment can be employed to
determine:• relative criticality of a system• level of testing needed for individual requirements • level of mitigation/remediation necessary for potential
test script failures• BUT, applicable regulatory requirements remain as
requirements.
www.xybion.com
Reality
www.xybion.com
Reality• FDA 483 and Warning Letter citations for
spreadsheets are more numerous than other categories of computerized systems. There are probably 3 reasons that findings related to spreadsheets are more common:• Large number of spreadsheets• Lack of management support for spreadsheet
validation• FDA investigators and QA auditors know that
spreadsheet systems are often not well controlled (validated), and the spreadsheet applications often have design deficiencies related to requirements for security and audit trails.
www.xybion.com
“Basic” Reality • FDA and other international regulatory agencies
have requirements for validation of computerized systems used to support regulated activities.
• Validation of computerized systems is commonly defined as, documented evidence which provides a high degree of assurance that a computerized system will operate accurately and reliably to its predefined specifications (requirements) and quality attributes.
• A spreadsheet application running on a desktop or laptop computer is a computerized system.
• A spreadsheet used to support regulated activities must be validated for its intended use.
www.xybion.com
“Harsh” Reality• As with most obligate regulatory requirements,
there are no real shortcuts• There are no hidden industry secrets that allow
avoidance of compliance• There is no risk assessment approach which
trumps regulations• During a regulatory inspection, either a
spreadsheet system will have documentation which provides adequate assurance of system accuracy, reliability, and compliance with applicable regulatory “quality attributes” (audit trail, security, etc.)….or adequate documentation will not be available.
www.xybion.com
Reality Efficiencies
• Have a defined process for computerized system validation (including spreadsheets). Nothing saves as much money in the area of validation as having a process which your employees can follow for all computerized systems.
• Don’t start from scratch… plagiarize, plagiarize, and then plagiarize some more.
• Don’t try to validate the spreadsheet program…you won’t be successful.
www.xybion.com
Risks
www.xybion.com
Risks
• The primary risk associated with spreadsheets relates to business continuity
• Will these spreadsheets provide accurate data? • Will these spreadsheets adequately protect data
from being compromised? • The almost infinite configurability and limitless
uses of spreadsheets make these products powerful business tools, but this flexibility also opens the door to bad things happening.
www.xybion.com
Risks• If a company fails to validate spreadsheets used
for regulated activities, then that company is inviting audit report findings or regulatory actions
• With numerous 483 and Warning Letter findings related to spreadsheets, it is clear that FDA investigators are looking at spreadsheet controls and have expectations that these systems be validated for their intended use.
www.xybion.com
Risks• The ease of spreadsheet distribution and
installation presents regulatory control challenges.
• Wide distribution, broad end user individual configuration, less administrative and IT support, result in greater potential for a system to drift out of control
• Must consider how to effectively address system security (applications on laptops go home and travel with people…applications on central servers generally don’t go anywhere).
• How will subsequent change control and configuration management be handled?
www.xybion.com
Risks • FDA investigators and industry auditors are
aware that spreadsheet systems generally have two major design deficiencies related to regulatory compliance…security and audit trail functions.
• IT staff or techie staff members try to mitigate these deficiencies by developing “workarounds”, but often these workarounds do not resolve the compliance deficiencies.
www.xybion.com
Risks• Software vendors recognized the spreadsheet
audit trail and security issues and have produced software products, which operate in tandem with spreadsheets to mitigate these design gaps
• Readily available, easy to install, relatively inexpensive, consistent solution
• Our webinar host, Xybion, produces such a product named Compliance Builder
www.xybion.com
Summary
• Spreadsheets are widely distributed and uniquely configured computerized systems
• Critical to business continuity• Regulatory agencies require these systems to be
validated for their intended use• Commercial products are available to mitigate
design gaps• Rumors do not replace regulations
www.xybion.com
Questions&
Discussions
www.xybion.com
Life Sciences Challenges
Life-SciencesCompanies
IT Governance
Financial Controls
SOX
Global RegulatoryPressure ..FDA …
OperationalEfficiency
www.xybion.com
Compliance Builder - Overview
Xybion is an acknowledged leader in providing enterprise solutions for Regulatory, Quality and Compliance (GRC) to Life Sciences industry.
ComplianceBuilder is one of the solutions from Xybion which helps address one of the core needs CFR Part 11 and related Compliance needs especially with the Life Science companies.
www.xybion.com
How does ComplianceBuilder help?Provides capabilities needed to meet requirements such as:
21 CFR Part 11, Sarbanes-Oxley
Monitors key data sources, such as: Files on Workstations or Servers Tables in Databases Process and Manufacturing
Equipments
www.xybion.com
ComplianceBuilder
Functionality available with 3 sub-systems
www.xybion.com
Thank You!
www.xybion.com